Wanting to get detailed and clear logs of file/dir creation/open/save/deletion on some shares, I'm trying to reach a well balanced setting of the extd_audit VFS module, as the standard logs are a bit "too much" for me. I'm using the following global parameters: log file = /var/log/samba/%m.%U.log syslog = 0 log level = 0 vfs:2 max log size = 0 The share I'm interested into has the following VFS parameter: vfs objects = recycle extd_audit ...plus some options for recycle, and of course other standard share definition parameters. Using this configuration, according to the docs, nothing should go into syslog, and samba logs - separated according to machine and user - should only contain extd_audit output; quoting from the official howto: -------------------------------------------- Syslog can be used to record all transaction. This can be disabled by setting in the smb.conf file syslog = 0. Logging can take place to the default log file (log.smbd) for all loaded VFS modules just by setting in the smb.conf file log level = 0 vfs:x, where x is the log level. This will disable general logging while activating all logging of VFS module activity at the log level specified. Detailed logging can be obtained per user, per client machine, etc. This requires the above together with the creative use of the log file settings. -------------------------------------------- Instead, here is what I can see: - extd_audit output is going to syslog only, and it does not contain info about the user who executes the action, which makes it somewhat useless for multiuser environments; ok, you can find out the user by looking at the PID, but it's not an easy job if you are searching through megabytes of old logs; - almost nothing is logged by extd_audit, regarding file reads! With 10 users simultaneously connected and working on Windows 2000 Pro client machines, in 1 hour time only the following few operations have been logged: feb 8 11:37:44 gpserver smbd_audit[24489]: open Personali/SMo/Martina/Martina -1-COMPRESSA 2.jpg (fd 26) feb 8 12:01:52 gpserver smbd_audit[24506]: open rsaenh.dll (fd -1) failed: No such file or directory feb 8 12:19:39 gpserver smbd_audit[24506]: open quasi.rl4 (fd -1) failed: No such file or directory feb 8 12:19:39 gpserver smbd_audit[24506]: open sicure.rl4 (fd -1) failed: No such file or directory ...plus many failed opens of Desktop.ini, many opendirs and various connect/disconnnect messages. I also expressly asked a user to open a specific JPG file in that share, she did (I checked with ls -l --time=atime), and nothing was logged about it. - only a few smbd errors are logged into Samba logs in /var/log/samba, e.g. "couldn't find service" and "string overflow by 1". This definitely is not the expected behaviour.
I'm having much the same experience using extd_audit. I've observed that many of the desired messages wind up in /var/log/messages rather than /var/log/samba/%m.%U.log, and also that the user id is missing from the audited operations, making the audit less than useful. I have used the identical settings described in Mr. De Vitis' report.
I looked a the ext_audit code and it seems that only syslog logging is available. So, redirect all your audit messages, using syslog, to a file. Later, grep the PID to find out which user realized the operations. [share] ext_audit: facility = LOCAL6 /etc/syslog.conf *.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages local6.* /var/log/local6.log tail /var/log/local6.log feb 8 11:37:44 gpserver smbd_audit[24489]: open Personali/SMo/Martina/Martina -1-COMPRESSA 2.jpg (fd 26) # to find out the user of the operation grep 24489 /var/log/local6.log | grep connect HTH Oliver
Deryck, want to take a look at extending the log messages in the audit modules?
we've got exactly the same result. when we set log level = 0 vfs:2 extd_audit don't show creation etc. while if we set log level = 2 then we got all kind og logs including extd_audit's creation etc.
closing. recommended to use full_audit
what is the full_audit??? i can't find it anywhere!